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Fee(s) Transmittal and pay the PUBLICATION FEE (if required) 
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Transmittal and pay the PUBLICATION FEE (if required) and 1/2 
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Determination of Patent Term Adjustment under 35 U.S.C. 154 (b) 

(application filed on or after May 29, 2000) 

The Patent Term Adjustment to date is 133 day(s). If the issue fee is paid on the date that is three months after the 
mailing date of this notice and the patent issues on the Tuesday before the date that is 28 weeks (six and a half 
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If a Continued Prosecution Application (CPA) was filed in the above-identified application, the filing date that 
determines Patent Term Adjustment is the filing date of the most recent CPA. 
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Applicant(s) 

VALDES ET AL. 
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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1 308. 

1 . K| This communication is responsive to Appeal Brief filed 8/18/2010 . 

2. ^ The allowed claim(s) is/are 1,2,7,8,13 and 14 . 

3. □ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a) DAN b)DSome* c) □ None of the: 

1. D Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. O Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-MONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1.84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 

6. □ DEPOSIT OF and/or INFORMATION about the deposit of BIOLOGICAL MATERIAL must be submitted. Note the 

attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 



Attachment(s) 

1 . M Notice of References Cited (PTO-892) 

2. □ Notice of Draftperson's Patent Drawing Review (PTO-948) 

3. □ Information Disclosure Statements (PTO/SB/08), 

Paper No./Mail Date 

4. □ Examiner's Comment Regarding Requirement for Deposit 

of Biological Material 



5. Q Notice of Informal Patent Application 

6. □ Interview Summary (PTO-413), 

Paper No./Mail Date . 

7. £3 Examiner's Amendment/Comment 

8. £3 Examiner's Statement of Reasons for Allowance 

9. □ Other . 
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DETAILED ACTION 

1 . This Office Action is in response to the Appeal Brief filed August 1 8, 201 0. 
Claims 1-30 are currently pending in this case. 

EXAMINER'S AMENDMENT 

2. An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1 .312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

3. Authorization for this examiner's amendment was given in a telephone interview 
with Diana Rea, reg.no. 54,938, on November 12, 2010. 

4. The claims are hereby amended as follows: 

1. (Currently Amended) In an intrusion detection system that includes a plurality of 
sensors that generate alerts when attacks or anomalous incidents are detected, a 
method for organizing the alerts into alert classes, both the alerts and the alert classes 
having a plurality of features, the method comprising: 

(a) receiving a new alert; 

(b) identifying a set of similar features shared by the new alert and one or more 
existing alert classes; 

(c) updating , using a processor, a threshold similarity requirement for one or 
more of the similar features; 

(d) updating , using a processor, a similarity expectation for one or more of the 
similar features; 
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(e) comparing , using a processor, the new alert with the one or more existing 
alert classes , using a similarity measure Sim(X.Y) that expresses a similarity between 
the new alert and a given one of the one or more existing alert classes, where SIM(X.Y) 
is defined as: 



where X is a set of features and probability values for the new alert, Y is a set of 
features and probability values for the given one of the one or more existing alert 
classes, Px(C) is a probability of a category C in X, Py(C) is a probability of the category 
C in Y, Px is a probability vector over one or more categories observed for X, and Py is 
a probability vector over one or more categories observed for Y : and either: 

(f1) associating , using a processor, the new alert with a one of the one or more 
existing alert classes that the new alert most closely matches according to the similarity 
measure : or 

(f2) defining , using a processor, a new alert class that is associated with the new 
alert[[,]] 

wh e r ei n at le ast on e of: th e r e c ei v i ng, th e i d e nt i fy i ng, th e updat i ng a thr e sho l d 
s i m il ar i ty, th e updat i ng a s i m il ar i ty e xp e ctat i on, th e compar i ng, th e assoc i at i ng, or th e 
d e f i n i ng i s p e rform e d by a proc e ssor . 

2. (Previously Presented) The method of claim 1 further comprising a step (a1) of 
passing each of the one or more existing alert classes through a transition model to 
generate a new prior belief state for each of the one or more existing alert classes. 



Sim(X,Y) = 




{Px-PxIPy-Py) 



3.-6. (Cancelled) 
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7. (Currently Amended) A computer readable storage medium containing an 
executable program for organizing alerts that are generated by a plurality of sensors 
into alert classes, both the alerts and the alert classes having a plurality of features, 
where the program, when executed by a processor, causes the [a] processor to perform 
steps of: 

(a) receiving a new alert; 

(b) identifying a set of similar features shared by the new alert and one or more 
existing alert classes; 

(c) updating a threshold similarity requirement for one or more of the similar 
features; 

(d) updating a similarity expectation for one or more of the similar features; 

(e) comparing the new alert with the one or more existing alert classes , using a 
similarity measure Sim(X.Y) that expresses a similarity between the new alert and a 
given one of the one or more existing alert classes, where SIM(X,Y) is defined as: 



where X is a set of features and probability values for the new alert, Y is a set of 
features and probability values for the given one of the one or more existing alert 
classes. Px(C) is a probability of a category C in X. P Y (C) is a probability of the category 
C in Y, Px is a probability vector over one or more categories observed for X, and Py is 
a probability vector over one or more categories observed for Y ; and either: 

(f1) associating the new alert with a one of the one or more existing alert classes 
that the new alert most closely matches according to the similarity measure ; or 

(f2) defining a new alert class that is associated with the new alert. 



Sim(X,Y) = 




(p x -p x Xp y -p y ) 



8. (Previously Presented) The computer readable storage medium of claim 7 further 
comprising a step (a1) of passing each of the one or more existing alert classes through 



Application/Control Number: 09/944,788 



Page 5 



Art Unit: 3685 

a transition model to generate a new prior belief state for each of the one or more 
existing alert classes. 

9.-12. (Cancelled) 

13. (Currently Amended) In an intrusion detection system that includes a plurality of 
sensors that generate alerts when attacks or anomalous incidents are detected, a 
system for organizing the alerts into alert classes, both the alerts and the alert classes 
having a plurality of features, where the system comprises: 

(a) means for receiving a new alert; 

(b) means for identifying a set of similar features shared by the new alert and one 
or more existing alert classes; 

(c) means for updating a threshold similarity requirement for one or more of the 
similar features; 

(d) means for updating a similarity expectation for one or more of the similar 
features; 

(e) means for comparing the new alert with the one or more existing alert 
classes , using a similarity measure Sim(X.Y) that expresses a similarity between the 
new alert and a given one of the one or more existing alert classes, where SIM(X.Y) is 
defined as: 



where X is a set of features and probability values for the new alert, Y is a set of 
features and probability values for the given one of the one or more existing alert 
classes, Px(C) is a probability of a category C in X, Py(C) is a probability of the category 
C in Y, Px is a probability vector over one or more categories observed for X, and Py is 



Sim(X,Y) = 




{P X -P X \P Y -P Y ) 



a probability vector over one or more categories observed for Y ; and 
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(f1) means for associating the new alert with a one of the one or more existing 
alert classes that the new alert most closely matches according to the similarity 
measure , or defining a new alert class that is associated with the new alert. 

14. (Previously Presented) The system of claim 13 further comprising (a1) means 
for passing each of the one or more existing alert classes through a transition model to 
generate a new prior belief state for each of the one or more existing alert classes. 

15. -30. (Cancelled) 

Reasons for Allowance 

5. Claims 1-2, 7-8, and 13-14 are allowed. 

6. The following is the Examiner's statement of reasons for allowance: 

7. Regarding the claimed terms, Applicant is reminded that a "general term must be 
understood in the context in which the inventor presents it." In re Glaug 283 F.3d 1335, 
1340, 62 USPQ2d 1151, 1154 (Fed. Cir. 2002). Therefore the Examiner must interpret 
the claimed terms as found on pages 1-59 of the specification. Clearly almost all the 
general terms in the claims may have multiple meanings. So where a claim term "is 
susceptible to various meanings ... the inventor's lexicography must prevail . . . ." Id. 
Using these definitions for the claims, the claimed invention was not reasonably found in 
the prior art. 

8. The primary reference Nine et al (US 6,560,611) discloses as previously 
discussed. Nine, however, does not disclose at least comparing J _using a processor, the 
new alert with the one or more existing alert classes, using a similarity measure 
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Sim(X,Y) that expresses a similarity between the new alert and a given one of the one 
or more existing alert classes, where SIM(X,Y) is defined as: 



where X is a set of features and probability values for the new alert, Y is a set of 
features and probability values for the given one of the one or more existing alert 
classes, Px(C) is a probability of a category C in X, Py(C) is a probability of the category 
C in Y, P x is a probability vector over one or more categories observed for X, and Py is 
a probability vector over one or more categories observed for Y. Moreover, the missing 
claimed feature is not likely to be found in a reasonable number of references. 

9. For these reasons, independent claims 1 , 7, and 1 3 and their dependent claims 
2, 8, and 14 are deemed allowable. 

10. Any comments considered necessary by Applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

1 1 . Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to CRISTINA SHERR whose telephone number is 

(571 )272-671 1 . The examiner can normally be reached on 8:30-5:00 Monday through 
Friday. 
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12. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Calvin L. Hewitt, II can be reached on (571)272-6709. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

13. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

CRISTINA OWEN SHERR 

Examiner 

Art Unit 3685 

/Calvin L Hewitt II/ 

Supervisory Patent Examiner, Art Unit 3685 



